Network systems utilizing various VPN (virtual private network) techniques are known as systems which can realize, for example, the receipt of orders/ordering of products, materials and the like and the settlement through the transmission of IP (internet protocol) packet data over networks.
FIG. 5 shows a conventional network system using a VPN technique.
A plurality of access gateways 22-1 and 22-2 are connected to a network (A) 21, and a plurality of access gateways 24-1 and 24-2 are connected to a network (B) 23. A router 25 is connected to the access gateways 22-1 and 24-1, a router 26 is connected to the access gateway 22-2, and a router 27 is connected to the access gateway 24-2. User terminals 26, 29, 30 are connected respectively to the routers 25, 26, 27. The networks (A, B) 21, 23 are networks of network service providers, or service providers. Here the number of networks is two. However, the number of networks may be any one. Likewise, although two access gateways are used for each one network, the number of access gateways per network may be any one.
An explanation will be given, for example, in the case where the user of a user terminal 28 sends data to a user terminal 29. Information sent from the user terminal 28 is introduced into the router 25. The router 25 decides a network, through which the information from the user terminal 28 should be sent, based on destination data (destination address) contained in the received information. Here the network (A) 21 is selected, and the router 25 transfers the information from the user terminal 28 to the access gateway 22-1. The access gateway 22-1 gives the information from the user terminal 28 on the network 21. As soon as the information transmitted over the network 21 reaches the access gateway 22-2, the access gateway 22-2, upon the detection of the presence of destination data as a passage object, transfers this information through the router 26 to the user terminal 29.
The system should be constructed so that information sent from each user terminal to the network 21 or 23, even when transferred to a third party, cannot be decoded. For example, in the case of an internet VPN system, in sending information from a user terminal to a network through a collection of ISPs (Internet service providers), the information is encrypted by firewall for security purposes. Since, however, the networks are a collection of ISPS, it is impossible to verify the network in which an accident has occurred. This renders the responsibility for the security unclear, and, for example, if there has been information leakage, the sender per se is responsible for the information leakage.
On the other hand, in the construction shown in FIG. 5. since a CUG (closed user group) service managed, for example, by a communication company or a service company is used, the responsibility for security, accident and the like is clear. The reason for this is that, since communication is carried out through a single IP network (a network 21 or 23) rather than a collection of ISPs, the status of transmission can be grasped by each IP network. In the CUG service system, information is transmitted using IP within IP or MPLS (multi-protocol label switching protocol) as the VPN technique, and, thus, the firewall is not generally required.
FIG. 6 shows an example of the format of an IP packet of IP within IP and MPLS.
As shown in FIG. 6C, an original IP packet 40 comprises payload data 41 as a data portion and an IP header 42 as control information added to the head of the payload data 41. The IP header 42 comprises, for example, a destination address 43 and a sender address 44.
An IP packet 50 by the IP within IP system shown in FIG. 6A comprises this IP packet 40 and, added to the head of the IP packet 40, an IP header 42 and a capsule IP header 51 indicating the address of a router, to which the sender is connected, and the address of a router to which the send destination is connected. On the other hand, an IP packet 60 by the MPLS system comprises the payload data 41 and, added to the head of the payload data 41, an IP header 42 and an MPLS label 61. This MPLS label 61 comprises an MPLS label 62 for path designation and an MPLS label 63 for user designation.
FIG. 1 shows an example of data transmission by IP within IP and MPLS shown in FIG. 6. In this example, seven routers are provided.
Seven routers #1 31 to #7 37 are connected directly or indirectly over a network 21. A user terminal 28 is connected to the router #1 31, a user terminal 29 to the router #5 35, a user terminal 38 to the router #6 36, and a user terminal 39 to the router #7 37.
Here when data is transmitted from the user terminal 28 to the user terminal 29, send data is passed through a path router #1 31→router #2 32→router #3 33→router #4 34→router #5 35 in this order.
When IP within IP is used, information, indicating that the sender is the user terminal 28, is stored in the sender address 44 in the IP header 42 shown in FIG. 6A, information, indicating that the destination is the user terminal 29, is stored in the destination address 43. In the capsule IP header 51, information, indicating that the sender is the router #1, is stored in the sender address, and information, indicating that the destination is router #5, is stored in the destination address. Thus, in IP within IP, the IP packet is encapsulated with the IP header 51. As a result, even though the user of the user terminal 39, who has learned the sender address 44 of the user terminal 28, attempts to perform transmission under the pretense of the user of the user terminal 28, the send data is not transmitted from the user terminal 39 because the address information at the IP header 51 is different. This can ensure a high level of security.
On the other hand, when MPLS is used, in FIG. 6B, information, indicating that the sender is the user terminal 28, is stored in the sender address 44 in the IP head 42, and information, indicating that the destination is the user terminal 29, is stored in the designation address 43. Further, information, indicating that which path is to be selected for each transit point over the whole path router #1 31→router #2 32→ . . . , is stored in the MPLS label 62 in the MPLS label 61, and information indicating user information of the sender is stored in the MPLS label 63. In this MPLS, the delay is constant because the transfer path is constant. Therefore, in the transmission of voice data or the like, for example, no pitch variation takes place in the voice, and, thus, advantageously, the voice can be easily understood.
In the conventional network system, however, when the number of access lines 70 shown in FIG. 5 is increased, the number of cases, where the protocol of the network as the connection destination is not common, is increased. This leads to the presence of IP within IP together with MPLS, and requires any protocol conversion processing. Therefore, the construction of the system is complicated. When the management entrepreneur is different for each network, the user should contract with each entrepreneur (such as a service provider). This imposes the following burdens on the user.
(1) A bill for charge for is sent from each service provider to the user, and this is troublesome for the user.
(2) The user should contract with each of a plurality of service providers. Therefore, business routine, such as entry procedure, is increased and becomes complicate.
(3) When the plurality of service providers are different in protocol, for example, the lead-in of a plurality of access lines is necessary and this incurs extra equipment cost and communication cost.
For end users, preferably, a wide variety of services including media delivery services and electronic commerce can be received on one network infrastructure. In the current status of progress of VPN service, however, intensifying all the services on one framework is unrealistic, and poses the above problems.